aryabhata remainder theorem: relevance to public-key crypto ...

More documents

Recommendations

Info

8 RAO AND YANG 3.2. Multiplicative inverse algorithm The EEA can be improved to perform better if only one inverse is required. For instance, if a −1 mod b is required for a > b, we may just as well begin with a mod b = c and find c −1 mod b. In that case, the xi computation will be one less step. Further, if the initial values are set appropriately, the inverse can be obtained in n − 2 forward steps (each step: one multiplication and one addition), the same number of steps as in the IAA (Section 1.2). We illustrate this by using the same example as before with another table. Example 5. Find 137 −1 mod 60 (a = 137 and b = 60) We start with r0 = b = 60, r1 = a mod 60 = 17, and x1 = 1. The iterations begin from i = 2 with the normal division process: qi ← quotient(ri−2/ri−1), ri ← ri−2 mod ri−1, and x2 = q2. The iteration proceeds: xi ← xi−1 · qi + xi−2 (for i > 2). i ri qi xi 0 60 – – 1 17 – 1 2 9 3 3 3 8 1 4 4 1 1 7 5 0 From this we observe the following: a · xi(−1) i−1 mod b = ri for i ≥ 1, 137 · 7(−1) 4−1 mod 60 = 1, X = 137 −1 mod 60 = 60 − 7 = 53. We can now state the following lemma. Lemma 3. Let a, b, ri, qi, and xi be defined as above. Then a −1 mod b exists iff xn = 1 (for some n > 1) and is given by a −1 mod b = xn(−1) n−1 . Proof. First, we need to prove that a · xi(−1) i−1 mod b = ri holds for i ≥ 1. For i = 1, we have x1 = 1 and a · x1(−1) i−1 mod b = r1. Fori = 2, we have the division equation r2 = r0 − q2 · r1 = r0 − x2 · r1. Taking mod b on both sides, we get (−x2) · r1 mod b = r2, which is the same as (−x2)a mod b = r2. For i = 3, we start with r3 = r1 − q3 · r2 = r1 · x1 − q3(r0 − x2 · r1) = r1(x2 · q3 + x1) − q3 · r0 = r1 · x3 − q3 · r0. Taking mod b on both sides, we have r1 · x3 mod b = r3 and a · x3 mod b = r3. Continuing this process, we obtain a · xn(−1) n−1 mod b = rn = 1 and a −1 mod b = xn(−1) n−1 . ✷
ARYABHATA REMAINDER THEOREM 9 Algorithm for a−1 mod b Step 1. r0 ← b r1 ← a mod b if r1 = 0, then go to Step 4 else x1 ← 1 ι ← 2 Step 2. qi ← quotient(ri−2/ri−1) ri ← ri−2 mod ri−1 If ri = 0, then go to step 3 else if i = 2, then xi ← qi else xi ← xi−1 · qi + xi−2 i ← i + 1 go to Step 2 Step 3. If ri−1 = 1, then if i is even, then return (xi) else return (b − xi) Step 4. print “Inverse does not exist” 4. Chinese remainder theorem (CRT) Let X = CRT(v1,v2,...,vt; m1, m2,...,mt; M = t i=1 mi) for (mi, m j) = 1, for all i = j. Then X is given by t X = vi(M/mi)yi mod M, i=1 where yi = (M/mi) −1 mod mi. Example 6. X = CRT(2, 1, 3, 8; 5, 7, 11, 13; 5005) y1 = (5005/5) −1 mod 5 = (1001) −1 mod 5 = 1 y2 = (5005/7) −1 mod 7 = (715) −1 mod 7 = 1 y3 = (5005/11) −1 mod 11 = (455) −1 mod 11 = 3 y4 = (5005/13) −1 mod 13 = (385) −1 mod 13 = 5 X = 2 · 1001 · 1 + 1 · 715 · 1 + 3 · 455 · 3 + 8 · 385 = (2002 + 715 + 4095 + 15400) mod 5005 = 2192. Remark. CRT requires t inverse operations and a reduction operation modulo M. As explained in [9], the number of bit operations O(k 2 t 2 ) = O(n 2 ), where k is the maximum bit size of the residues and n is the combined number of bits in modular representation of v(x).
Page 1 and 2: CIRCUITS SYSTEMS SIGNAL PROCESSING
Page 3 and 4: ARYABHATA REMAINDER THEOREM 3 proce
Page 5 and 6: ARYABHATA REMAINDER THEOREM 5 Lemma
Page 7: ARYABHATA REMAINDER THEOREM 7 key d
Page 11 and 12: ARYABHATA REMAINDER THEOREM 11 mi,
Page 13 and 14: ARYABHATA REMAINDER THEOREM 13 Also
Page 15: ARYABHATA REMAINDER THEOREM 15 [7]

aryabhata remainder theorem: relevance to public-key crypto ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?